Cross-Site Scripting Vulnerability in Telerik Reporting for ASP.NET WebForms
CVE-2017-9140

6.1MEDIUM

Key Information:

Vendor
Progress
Status
Telerik Reporting
Vendor
CVE Published:
22 May 2017

Summary

A cross-site scripting (XSS) vulnerability exists in the Telerik.ReportViewer.WebForms.dll component of Telerik Reporting for ASP.NET WebForms. This flaw allows remote attackers to inject arbitrary web script or HTML through the bgColor parameter in the Telerik.ReportViewer.axd endpoint. If successfully exploited, this can lead to unauthorized actions executed on behalf of users or data theft. Users are encouraged to update their versions to the latest release, R1 2017 SP2 (11.0.17.406) or higher, to mitigate the risk associated with this vulnerability.

References

http://www.telerik.com/support/whats-new/reporting/releas...
x_refsource_CONFIRM
https://knowledgebase.progress.com/articles/Article/Secur...
x_refsource_CONFIRM
https://www.veracode.com/blog/research/anatomy-cross-site...
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.